Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday July 25 2016, @01:27PM   Printer-friendly
from the we-should-flog-the-virus-writers dept.

Original URL: http://www.itworld.com/article/3099084/researchers-release-free-decryption-tools-for-powerware-and-bart-ransomware.html#tk.rss_news

Security researchers have released tools this week that could help users recover files encrypted by two relatively new ransomware threats: Bart and PowerWare.

PowerWare, also known as PoshCoder, was first spotted in March, when it was used in attacks against healthcare organizations. It stood out because it was implemented in Windows PowerShell, a scripting environment designed for automating system and application administration tasks.

Researchers from security firm Palo Alto Networks have recently found a new version of this threat that imitates a sophisticated and widespread ransomware program called Locky. It uses the extension .locky for encrypted files and also displays the same ransom note used by the real Locky ransomware.

This is not the first time the PowerWare/PoshCoder creators have imitated well-designed ransomware threats, probably in an attempt to convince users that there's no point in trying to recover their files without paying. In the past, they've used the CryptoWall and TeslaCrypt ransom notes.

Luckily, PowerWare is nowhere near as strong as the ransomware programs it impersonates. It uses the AES-128 encryption algorithm, but with a hard-coded key, which allowed the Palo Alto researchers to create a decryption tool that should work at least for this latest variant.

Also this week, researchers from antivirus firm AVG managed to crack another ransomware program called Bart that first appeared in June. This threat is notable because it locks files inside password-protected ZIP archives instead of using sophisticated encryption algorithms.

Bart infections are easy to identify because the affected files will have the extension .bart.zip appended to their original name and extension -- for example document.docx will become document.docx.bart.zip.

Bart's ZIP-based encryption uses a very long and complex password, but the AVG researchers have figured out a way to guess the key using brute-force methods. Their Bart decryption tool requires the user to have at least one unaffected copy of a file that has been encrypted.

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Monday July 25 2016, @06:07PM

    by Anonymous Coward on Monday July 25 2016, @06:07PM (#379951)

    D'oh "license free" was supposed to be "licensing cost free," as you have to get a special license, and usually pay for it, in order to implement that part of the specification.